Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Play by Forum (PBF) Error (Cert) #2554

Closed
ghostronin opened this issue Oct 29, 2017 · 12 comments

Comments

Projects
None yet
3 participants
@ghostronin
Copy link

commented Oct 29, 2017

-->
1508817523236-triplea_352_ger1_Github.zip

My Operating System:

Windows 10 Pro x64

TripleA version:

1.9.0.0.7062

Map:

Total World War (TWW) 2.7.7.2

Can you describe how to trigger the error? (eg: what sequence of actions will recreate it?)

Test post to forum and/or post game save to forum for PBF

Do you have the exact error text?

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Instead of this error, what should have happened?

Test post to forum and/or post game save to forum for PBF

Any additional information that may help:

triplea.engine.version.bin:1.9
Loading map: total_world_war, from: C:\Users\Master\triplea\downloadedMaps\total_world_war-master.zip
Loading resources from the following paths: [C:\Users\Master\triplea\downloadedMaps\total_world_war-master.zip, E:\Gaming\TripleA\TripleA_1.9.0.0.7062\assets]
Loading map: total_world_war, from: C:\Users\Master\triplea\downloadedMaps\total_world_war-master.zip
Loading resources from the following paths: [C:\Users\Master\triplea\downloadedMaps\total_world_war-master.zip, E:\Gaming\TripleA\TripleA_1.9.0.0.7062\assets]
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alerts.getSSLException(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
	at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
	at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
	at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
	at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
	at sun.security.ssl.Handshaker.processLoop(Unknown Source)
	at sun.security.ssl.Handshaker.process_record(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
	at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
	at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:359)
	at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
	at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
	at games.strategy.engine.pbem.TripleAForumPoster.login(TripleAForumPoster.java:116)
	at games.strategy.engine.pbem.TripleAForumPoster.getUserId(TripleAForumPoster.java:93)
	at games.strategy.engine.pbem.TripleAForumPoster.postTurnSummary(TripleAForumPoster.java:39)
	at games.strategy.engine.framework.startup.ui.editors.ForumPosterEditor.lambda$testForum$251(ForumPosterEditor.java:143)
	at java.lang.Thread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
	at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
	at sun.security.validator.Validator.validate(Unknown Source)
	at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
	... 25 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
	at java.security.cert.CertPathBuilder.build(Unknown Source)
	... 31 more
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alerts.getSSLException(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
	at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
	at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
	at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
	at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
	at sun.security.ssl.Handshaker.processLoop(Unknown Source)
	at sun.security.ssl.Handshaker.process_record(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
	at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
	at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:359)
	at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
	at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
	at games.strategy.engine.pbem.TripleAForumPoster.login(TripleAForumPoster.java:116)
	at games.strategy.engine.pbem.TripleAForumPoster.getUserId(TripleAForumPoster.java:93)
	at games.strategy.engine.pbem.TripleAForumPoster.postTurnSummary(TripleAForumPoster.java:39)
	at games.strategy.engine.framework.startup.ui.editors.ForumPosterEditor.lambda$testForum$251(ForumPosterEditor.java:143)
	at java.lang.Thread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
	at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
	at sun.security.validator.Validator.validate(Unknown Source)
	at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
	... 25 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
	at java.security.cert.CertPathBuilder.build(Unknown Source)
	... 31 more
Loading map: total_world_war, from: C:\Users\Master\triplea\downloadedMaps\total_world_war-master.zip
Loading resources from the following paths: [C:\Users\Master\triplea\downloadedMaps\total_world_war-master.zip, E:\Gaming\TripleA\TripleA_1.9.0.0.7062\assets]
Loading map: total_world_war, from: C:\Users\Master\triplea\downloadedMaps\total_world_war-master.zip
Loading resources from the following paths: [C:\Users\Master\triplea\downloadedMaps\total_world_war-master.zip, E:\Gaming\TripleA\TripleA_1.9.0.0.7062\assets]
Heap utilization statistics [MB]
Used Memory: 353
Free memory: 556
Total memory: 910
Max memory: 910
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alerts.getSSLException(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
	at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
	at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
	at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
	at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
	at sun.security.ssl.Handshaker.processLoop(Unknown Source)
	at sun.security.ssl.Handshaker.process_record(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
	at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
	at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:359)
	at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
	at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
	at games.strategy.engine.pbem.TripleAForumPoster.login(TripleAForumPoster.java:116)
	at games.strategy.engine.pbem.TripleAForumPoster.getUserId(TripleAForumPoster.java:93)
	at games.strategy.engine.pbem.TripleAForumPoster.postTurnSummary(TripleAForumPoster.java:39)
	at games.strategy.engine.pbem.PBEMMessagePoster.post(PBEMMessagePoster.java:109)
	at games.strategy.engine.pbem.PBEMMessagePoster.lambda$postTurn$324(PBEMMessagePoster.java:240)
	at java.lang.Thread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
	at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
	at sun.security.validator.Validator.validate(Unknown Source)
	at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
	... 26 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
	at java.security.cert.CertPathBuilder.build(Unknown Source)
	... 32 more
Heap utilization statistics [MB]
Used Memory: 352
Free memory: 558
Total memory: 910
Max memory: 910

@ron-murhammer ron-murhammer changed the title Play by Forum (PBF) error Play by Forum (PBF) Error (Cert) Oct 29, 2017

@ssoloff

This comment has been minimized.

Copy link
Member

commented Oct 30, 2017

@ghostronin Thanks for the information. We kind of know what's going on with these types of errors, but to start the process of resolving it, we first have to determine which certificate is causing the problem. Please perform the following steps when you have a chance:

  • Install OpenSSL.
    • The latest portable binary for Windows 64-bit is here.
    • Unzip that file someplace.
  • Open a Command Prompt and go to the folder where you unzipped OpenSSL. Then run the following command: openssl s_client -showcerts -connect raw.githubusercontent.com:443
  • Please paste the output in a new comment to this issue.
@ghostronin

This comment has been minimized.

Copy link
Author

commented Nov 3, 2017

WARNING: can't open config file: /usr/local/ssl/openssl.cnf
OpenSSL> s_client -showcerts -connect raw.githubusercontent.com:443
CONNECTED(0000022C)
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=www.github.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
-----BEGIN CERTIFICATE-----
MIIHqDCCBpCgAwIBAgIQCDqEWS938ueVG/iHzt7JZjANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xNzAzMjMwMDAwMDBaFw0yMDA1MTMxMjAwMDBa
MGoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
YW4gRnJhbmNpc2NvMRUwEwYDVQQKEwxHaXRIdWIsIEluYy4xFzAVBgNVBAMTDnd3
dy5naXRodWIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxtPx
ijvPpEXyy3Bn10WfoWmKTW753Uv2PusDNmalx/7mqFqi5BqK4xWQHQgSpyhedgtW
IXWCJGHtgFVck+DBAbHiHsE67ewpV1a2l2GpqNCFTU77UsoNVD/xPyx3k+cPX9y8
rqjMiZB3xs1zKDYBkcoBVrA+iO323YkJmCLEXCO2O7b1twLFWkNwMd7e7nteu2uC
MvxNp5Qg22MIn33t2egMPfIDU/TcKDfyaty5+s6F3gzh7eIgnqNQN0T/5fpaYkqd
x8j21QDsIyF/CfSpA5qKLuhluu8xrUbnc0MigX7VThS9PbfxMSQ1cQQfbGdxoQNJ
TNHxXv+ZTXAxKCju5wIDAQABo4IEQjCCBD4wHwYDVR0jBBgwFoAUUWj/kK8CB3U8
zNllZGKiErhZcjswHQYDVR0OBBYEFDCCKdhtTODUosYQSAWAh6i8qukSMHsGA1Ud
EQR0MHKCDnd3dy5naXRodWIuY29tggwqLmdpdGh1Yi5jb22CCmdpdGh1Yi5jb22C
CyouZ2l0aHViLmlvgglnaXRodWIuaW+CFyouZ2l0aHVidXNlcmNvbnRlbnQuY29t
ghVnaXRodWJ1c2VyY29udGVudC5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjB1BgNVHR8EbjBsMDSgMqAwhi5odHRwOi8v
Y3JsMy5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzUuY3JsMDSgMqAwhi5o
dHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzUuY3JsMEwG
A1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3
LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMIGDBggrBgEFBQcBAQR3MHUwJAYI
KwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBNBggrBgEFBQcwAoZB
aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkhpZ2hBc3N1
cmFuY2VTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADCCAfUGCisGAQQB1nkCBAIE
ggHlBIIB4QHfAHYApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAAAAFa
/UBqBAAABAMARzBFAiBFXsWaC1bup8Q0JgrY9EgIxjqi1v2fA6Zg44iRXSQyywIh
AIzhzU1zlseJh5+yXc5U1I+pgqRmXb1XcPIsGL8oOdwjAHUAVhQGmi/XwuzT9eG9
RLI+x0Z2ubyZEVzA75SYVdaJ0N0AAAFa/UBqZQAABAMARjBEAiBKQMsySmj69oKZ
MeC+MDokLrrVN2tK+OMlzf1T5qgHtgIgRJLNGvfWDmMpCK/iWPSmMsYK2yYyTl9K
btHBtP5WpkcAdgDuS723dc5guuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAVr9
QGofAAAEAwBHMEUCIA2n0TbeAa5KbuOpnXpJbnObwckpOsHsaN+2rA7ZA16YAiEA
l7JTnVPdmFcauzwLjgNESMRFtn4Brzm9XJTPJbaWPacAdgC72d+8H4pxtZOUI5eq
kntHOFeVCqtS6BqQlmQ2jh7RhQAAAVr9QGoRAAAEAwBHMEUCIQCqrtuq71J6TM7w
KMWeSAROdTa8f35GoLMImJXONSNHfQIgONvSu/VH5jlZ1+PD+b6ThFF1+pV7wp7w
q+/8xiHUMlswDQYJKoZIhvcNAQELBQADggEBAJl+1i/OG6YV9RWz7/EwwR9UEJKk
jEPAvL2lDQBT4kLBhW/lp6lBmUtGEVrd/egnaZe2PKYOKjDbM1O+g7CqCIkEfmY1
5VyzLCh/p7HlJ3ltgSaJ6qBVUXAQy+tDWWuqUrRG/dL/iRaKRdoOv4cNU++DJMUX
rRJjQHSATb2kyd102d8cYQIKcbCTJC8tqSB6Q4ZEEViKRZvXXOJm66bG8Xyn3N2v
J4k598Gamch/NHrZOXODy3N1vBawTqFJLQkSjU4+Y//wiHHfUEYrpTg92zgIlylk
3svH64hwWd1i3BZ2LTBq46MvQKU2D8wFdtXgbgRAPWohX79Oo6hs0Jghub0=
-----END CERTIFICATE-----
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
-----BEGIN CERTIFICATE-----
MIIEsTCCA5mgAwIBAgIQBOHnpNxc8vNtwCtCuF0VnzANBgkqhkiG9w0BAQsFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowcDEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
LmRpZ2ljZXJ0LmNvbTEvMC0GA1UEAxMmRGlnaUNlcnQgU0hBMiBIaWdoIEFzc3Vy
YW5jZSBTZXJ2ZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2
4C/CJAbIbQRf1+8KZAayfSImZRauQkCbztyfn3YHPsMwVYcZuU+UDlqUH1VWtMIC
Kq/QmO4LQNfE0DtyyBSe75CxEamu0si4QzrZCwvV1ZX1QK/IHe1NnF9Xt4ZQaJn1
itrSxwUfqJfJ3KSxgoQtxq2lnMcZgqaFD15EWCo3j/018QsIJzJa9buLnqS9UdAn
4t07QjOjBSjEuyjMmqwrIw14xnvmXnG3Sj4I+4G3FhahnSMSTeXXkgisdaScus0X
sh5ENWV/UyU50RwKmmMbGZJ0aAo3wsJSSMs5WqK24V3B3aAguCGikyZvFEohQcft
bZvySC/zA/WiaJJTL17jAgMBAAGjggFJMIIBRTASBgNVHRMBAf8ECDAGAQH/AgEA
MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
NAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy
dC5jb20wSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29t
L0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDA9BgNVHSAENjA0MDIG
BFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQ
UzAdBgNVHQ4EFgQUUWj/kK8CB3U8zNllZGKiErhZcjswHwYDVR0jBBgwFoAUsT7D
aQP4v0cB1JgmGggC72NkK8MwDQYJKoZIhvcNAQELBQADggEBABiKlYkD5m3fXPwd
aOpKj4PWUS+Na0QWnqxj9dJubISZi6qBcYRb7TROsLd5kinMLYBq8I4g4Xmk/gNH
E+r1hspZcX30BJZr01lYPf7TMSVcGDiEo+afgv2MW5gxTs14nhr9hctJqvIni5ly
/D6q1UEL2tU2ob8cbkdJf17ZSHwD2f2LSaCYJkJA69aSEaRkCldUxPUd1gJea6zu
xICaEnL6VpPX/78whQYwvwt/Tv9XBZ0k7YXDK/umdaisLRbvfXknsuvCnQsH6qqF
0wGjIChBWUMo0oHjqvbsezt3tkBigAVBRQHvFwY+3sAzm2fTYS5yh+Rp/BIAV0Ae
cPUeybQ=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=www.github.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3826 bytes and written 433 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: FC72418F01C2948A1C66972B6B7BB9F72821FF2F10B49C0EA2D09D220D8F0196
    Session-ID-ctx:
    Master-Key: C0049308E4BD6DC059FA3FC679806898CA7F43A2CCF1E13E430FE154D8D136A8D94F64F753B5EE70D13BE17C58BF84B6
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 1200 (seconds)
    TLS session ticket:
    0000 - 0b 1e b5 aa 32 f8 07 27-63 92 b4 8e 40 7b 3e 17   ....2..'c...@{>.
    0010 - 19 b1 37 4e 5c 71 4b e2-43 63 cd c0 09 22 b8 fa   ..7N\qK.Cc..."..
    0020 - 79 e5 50 35 72 5e 50 87-9d 54 78 ee 52 79 85 cc   y.P5r^P..Tx.Ry..
    0030 - 31 58 a2 d1 fe c3 05 03-90 e3 33 f6 16 38 bd 23   1X........3..8.#
    0040 - b7 5f 24 f9 dc 68 68 b5-dc ef fd e7 3a e7 34 80   ._$..hh.....:.4.
    0050 - 1f df f0 07 55 30 09 1c-58 39 9c 2d 64 95 67 3d   ....U0..X9.-d.g=
    0060 - 95 41 1b b2 5b 68 9a 19-aa 09 60 5a a0 58 ed 0e   .A..[h....`Z.X..
    0070 - 8d b2 b2 5f bd b4 1d 03-4a 0f ac 8e 54 06 1e 0a   ..._....J...T...
    0080 - ab d0 72 45 38 97 ac e9-d3 10 b6 ff 86 86 2d dc   ..rE8.........-.
    0090 - 31 ed dd 67 1f 5a 57 3f-0e d1 ed 2f 35 be 37 3f   1..g.ZW?.../5.7?

    Start Time: 1509674228
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
@ssoloff

This comment has been minimized.

Copy link
Member

commented Nov 3, 2017

Thanks, @ghostronin!

So, unlike the other case we examined, it appears you're not behind a TLS proxy, as you're getting the correct certificate chain. Interesting...

Can you please do the following so we can investigate further:

  1. Provide the version of Java you are using.
    • You can find this in Control Panel under Programs > Programs and Features.
  2. Attach your Java cacerts file to this issue.
    • This file is buried inside your Java installation directory. For example, C:\Program Files\Java\jre1.8.0_121\lib\security\cacerts.
    • You'll need to zip the file before attaching it or GitHub will refuse to accept it.
  3. Run TripleA with TLS tracing enabled:
    1. Open a Command Prompt and navigate to the directory where you installed TripleA.
    2. Run the following command:
      • java -Djavax.net.debug=ssl -jar bin\triplea.jar > ssl.log
    3. Once the TripleA main menu appears, click Download Maps.
    4. Once the Download Maps window appears, click Close.
    5. From the main menu, click Quit.
    6. Zip and attach the ssl.log file that should now be present in your TripleA installation directory.
@ghostronin

This comment has been minimized.

Copy link
Author

commented Nov 4, 2017

cacerts.zip
ssl.zip

Java 8 Update 144, 8.0.1440.1, build 1.8.0_144-b01

@ssoloff

This comment has been minimized.

Copy link
Member

commented Nov 5, 2017

@ghostronin Thanks for the logs. There were 17 separate TLS connections to GitHub, and they all appear to have been successful. The certificate chain was validated successfully each time, and no other exceptions are present. Did you see the error message you originally reported (or any other error message) when you were capturing these logs?

Reviewing your original post once again, I'm wondering if I made an incorrect assumption about your problem. All the other users who have reported this error experienced it while trying to download files from GitHub. You said specifically that it occurs only once you attempt to post a save game to a forum.

That's the part I missed. Your problem may be specific to PBF and not a general TLS problem like the other users have experienced. In which case, I should have asked you to capture the TLS logs while doing a PBF test post or something similar.

Therefore, can you please re-capture the TLS logs (item (3) above)? Instead of steps (iii) and (iv), please run the Test Post command for both AxisAndAllies.org and forums.triplea-game.org (I believe you have accounts for both services), exit TripleA, and re-post the ssl.log file. Note that you should delete the existing ssl.log file in your TripleA installation directory first so that we keep the test runs separate.

@ghostronin

This comment has been minimized.

Copy link
Author

commented Nov 5, 2017

Hmmm...when I run TripleA and test post after opening via the command prompt you gave me: java -Djavax.net.debug=ssl -jar bin\triplea.jar > ssl.log, it works. The test works correct, see: https://forums.triplea-game.org/topic/352/redrum-axis-vs-ghostronin-allies-tww-2-7-7-2/12

However, when I open TripleA via shortcut or directly thru the program and attempt to test-post the same error occurs as I initially stated. Thoughts? I've attached the log requested, although it works when running via command prompt.
ssl.zip

@ssoloff

This comment has been minimized.

Copy link
Member

commented Nov 5, 2017

Yes, interesting. I wonder if when you run TripleA via the launcher, it's using a different JVM that might have a different cacerts file that doesn't contain the CA certificate for the Let's Encrypt certificate triplea-game.org uses.

Let's determine the JVM TripleA is using when you run it via the launcher. Please do the following:

  • Start TripleA from the launcher or shortcut.
  • Start a local game (doesn't matter which map).
  • Once the game window is displayed, select Debug > Show Console.
  • Click the Properties button in the TripleA Console window.
  • Paste the content of the console window into a new comment.

BTW, I forgot to ask you this before... When you get the error, is it only with forums.triplea-game.org, or do you also see it with axisandallies.org? I ask because A&A.org recently switched to HTTPS, and I would have thought you would have started seeing it there, as well, but I noticed you posted there yesterday. That's leading me to believe the problem may be specific to validating the Let's Encrypt certificate used by triplea-game.org.

@ghostronin

This comment has been minimized.

Copy link
Author

commented Nov 5, 2017

The error is only with forums.triplea-game.org. axisandallies.org has been working for me via PBF. See: https://www.axisandallies.org/forums/index.php?topic=40781.0
https://www.axisandallies.org/forums/index.php?topic=40804.0

triplea.engine.version.bin:1.9
Loading map: world_war_ii_classic, from: C:\Users\Master\triplea\downloadedMaps\world_war_ii_classic-master.zip
Loading resources from the following paths: [C:\Users\Master\triplea\downloadedMaps\world_war_ii_classic-master.zip, E:\Gaming\TripleA\TripleA_1.9.0.0.7378\TripleA\assets]
Loading map: world_war_ii_classic, from: C:\Users\Master\triplea\downloadedMaps\world_war_ii_classic-master.zip
Loading resources from the following paths: [C:\Users\Master\triplea\downloadedMaps\world_war_ii_classic-master.zip, E:\Gaming\TripleA\TripleA_1.9.0.0.7378\TripleA\assets]
Heap utilization statistics [MB]
Used Memory: 73
Free memory: 908
Total memory: 981
Max memory: 981
SYSTEM PROPERTIES
awt.toolkit sun.awt.windows.WToolkit
exe4j.consoleCodepage cp0
exe4j.isInstall4j true
exe4j.launchName E:\Gaming\TripleA\TripleA_1.9.0.0.7378\TripleA\TripleA.exe
exe4j.moduleName E:\Gaming\TripleA\TripleA_1.9.0.0.7378\TripleA\TripleA.exe
exe4j.semaphoreName Local\e:_gaming_triplea_triplea_1.9.0.0.7378_triplea_triplea.exe0
exe4j.tempDir 
exe4j.unextractedPosition 0
file.encoding Cp1252
file.encoding.pkg sun.io
file.separator \
install4j.appDir E:\Gaming\TripleA\TripleA_1.9.0.0.7378\TripleA\
install4j.exeDir E:\Gaming\TripleA\TripleA_1.9.0.0.7378\TripleA\
install4j.launcherId 33
install4j.swt false
java.awt.graphicsenv sun.awt.Win32GraphicsEnvironment
java.awt.printerjob sun.awt.windows.WPrinterJob
java.class.path E:\Gaming\TripleA\TripleA_1.9.0.0.7378\TripleA\.install4j\i4jruntime.jar;E:\Gaming\TripleA\TripleA_1.9.0.0.7378\TripleA\.\bin\triplea.jar
java.class.version 52.0
java.endorsed.dirs c:\program files\common files\i4j_jres\1.8.0_66\lib\endorsed
java.ext.dirs c:\program files\common files\i4j_jres\1.8.0_66\lib\ext;C:\WINDOWS\Sun\Java\lib\ext
java.home c:\program files\common files\i4j_jres\1.8.0_66
java.io.tmpdir C:\Users\Master\AppData\Local\Temp\
java.library.path C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Program Files\FileBot\;C:\Users\Master\AppData\Local\Microsoft\WindowsApps;;c:\program files\common files\i4j_jres\1.8.0_66\bin
java.runtime.name Java(TM) SE Runtime Environment
java.runtime.version 1.8.0_66-b17
java.specification.name Java Platform API Specification
java.specification.vendor Oracle Corporation
java.specification.version 1.8
java.vendor Oracle Corporation
java.vendor.url http://java.oracle.com/
java.vendor.url.bug http://bugreport.sun.com/bugreport/
java.version 1.8.0_66
java.vm.info mixed mode
java.vm.name Java HotSpot(TM) 64-Bit Server VM
java.vm.specification.name Java Virtual Machine Specification
java.vm.specification.vendor Oracle Corporation
java.vm.specification.version 1.8
java.vm.vendor Oracle Corporation
java.vm.version 25.66-b17
line.separator 

os.arch amd64
os.name Windows 10
os.version 10.0
path.separator ;
sun.arch.data.model 64
sun.awt.enableExtraMouseButtons true
sun.awt.exception.handler games.strategy.triplea.ui.ErrorHandler
sun.boot.class.path c:\program files\common files\i4j_jres\1.8.0_66\lib\resources.jar;c:\program files\common files\i4j_jres\1.8.0_66\lib\rt.jar;c:\program files\common files\i4j_jres\1.8.0_66\lib\sunrsasign.jar;c:\program files\common files\i4j_jres\1.8.0_66\lib\jsse.jar;c:\program files\common files\i4j_jres\1.8.0_66\lib\jce.jar;c:\program files\common files\i4j_jres\1.8.0_66\lib\charsets.jar;c:\program files\common files\i4j_jres\1.8.0_66\lib\jfr.jar;c:\program files\common files\i4j_jres\1.8.0_66\classes
sun.boot.library.path c:\program files\common files\i4j_jres\1.8.0_66\bin
sun.cpu.endian little
sun.cpu.isalist amd64
sun.desktop windows
sun.io.unicode.encoding UnicodeLittle
sun.java.command E:\Gaming\TripleA\TripleA_1.9.0.0.7378\TripleA\TripleA.exe
sun.jnu.encoding Cp1252
sun.management.compiler HotSpot 64-Bit Tiered Compilers
sun.os.patch.level 
triplea.engine.version.bin 1.9
user.country US
user.dir E:\Gaming\TripleA\TripleA_1.9.0.0.7378\TripleA
user.home C:\Users\Master
user.language en
user.name Master
user.script 
user.timezone America/New_York
user.variant 
@ssoloff

This comment has been minimized.

Copy link
Member

commented Nov 5, 2017

java.home c:\program files\common files\i4j_jres\1.8.0_66

Yeah, so it looks like install4j downloaded and installed Java 1.8.0_66 when you installed TripleA at some time in the past and is continuing to use that version instead of the 1.8.0_144 version you probably installed yourself.

Can you please send me the cacerts file from c:\program files\common files\i4j_jres\1.8.0_66\lib\security? I suspect we'll find that it does not contain the required CA certificate.

I verified that the cacerts file you sent me from your Java 1.8.0_144 install does have the required CA certificate. So, if we find out your 1.8.0_66 install doesn't have the CA certificate, Oracle probably added it sometime between updates 66 and 144.

The install4j launcher searches for an appropriate JRE to use. I'm guessing it gives higher weight to JREs it installed itself. Therefore, the fix might be as simple as deleting the old 1.8.0_66 JRE to force the launcher search algorithm to locate the 1.8.0_144 JRE. If you do that, I would suggest deleting it temporarily (i.e. sending it to the Recycle Bin) so it can be restored if it turns out it does not fix the issue. In reality, that JRE is probably not used for anything else except the TripleA launcher.

@ssoloff

This comment has been minimized.

Copy link
Member

commented Nov 5, 2017

Using the 1.8.0_66 JRE in the triplea-game/assets repo, I confirmed that its cacerts file does not contain an entry for the root CA used to sign the triplea-game.org certificate (DST Root CA X3; SHA-1 fingerprint: DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13).

@ghostronin

This comment has been minimized.

Copy link
Author

commented Nov 5, 2017

Deleted Java 1.8.0_66. Reinstalled TripleA. Now it appears PBF via forums.triplea-game.org is working. Thank you ssoloff!!!!

@ssoloff

This comment has been minimized.

Copy link
Member

commented Nov 5, 2017

Excellent! Now we at least have one confirmed troubleshooting path we can offer other users who are experiencing the same TLS certificate path validation error. Thanks for taking the time to slog through this, @ghostronin.

Tagging related issues #2468 and #2472 for trackbacks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.